FinCEN’s AML Reset: Proposed Rule Rewrites the Playbook for AML/CFT Programs

On April 7, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Notice of Proposed Rulemaking (NPRM) that would significantly revise Bank Secrecy Act (BSA) anti-money laundering and countering the financing of terrorism (AML/CFT) program requirements across a broad range of financial institutions. The proposal is a central element of the U.S. Department of the Treasury’s effort to modernize the AML/CFT framework by moving away from purely technical, process-driven compliance toward demonstrable effectiveness in identifying, mitigating, and reporting money laundering, terrorist financing, and related illicit finance risks.

If adopted, the rule would require covered institutions to recalibrate their AML/CFT programs to be genuinely risk-based, to integrate FinCEN’s AML/CFT priorities into their risk assessment processes, and to satisfy clear expectations regarding governance, independent testing, and the defined role of a U.S.-based AML/CFT officer. For banks, the proposal would also introduce a new supervision and enforcement framework that concentrates significant actions on material failures to implement an otherwise properly established program and strengthens FinCEN’s central role in AML/CFT oversight.

The proposal supersedes and withdraws FinCEN’s July 3, 2024, AML program NPRM. Financial institutions should anticipate that, once finalized, the rule will require a careful reassessment of existing AML/CFT programs to ensure they meet the new standards for program establishment and maintenance, including integration of AML/CFT priorities and documentation of risk-based resource allocation decisions.

Comments are due 60 days after publication in the Federal Register (Docket No. FINCEN-2026-0034; RIN 1506-AB72), and FinCEN proposes a 12‑month implementation period following issuance of a final rule.

Scope of the Proposal

The NPRM would amend AML/CFT program requirements in 31 CFR Part 1010 and Parts 1020–1030 for banks (including credit unions and banks without a federal functional regulator), casinos and card clubs, money services businesses (MSBs), broker-dealers, mutual funds, certain insurance companies, futures commission merchants (FCMs) and introducing brokers in commodities (IBCs), dealers in precious metals, stones, or jewels (DPMSJs), operators of credit card systems, loan or finance companies, and housing government-sponsored enterprises (GSEs). Registered investment adviser AML/CFT rules are being addressed in separate rulemaking and are not affected by this proposal.

Key Material Changes to AML/CFT Program Requirements

“Effective” Program Standard Definition and Maintenance

The proposal introduces a formal definition of an “effective” AML/CFT program. A program is “effective” if the institution: (i) properly establishes it in accordance with the minimum regulatory components; and (ii) maintains it by implementing the program in all material respects. FinCEN expressly acknowledges that no program can eliminate all illicit activity or capture every suspicious transaction; rather, the standard focuses on whether the program is reasonably designed to ensure BSA compliance, identify and mitigate the institution’s actual money laundering and terrorist financing risks, and generate information that is highly useful to law enforcement and national security agencies.

Risk-Based Internal Controls and Mandatory Risk Assessment Processes

Every covered financial institution would be required to establish a risk-based set of internal policies, procedures, and controls that are reasonably designed to ensure BSA compliance and to: (i) identify, assess, and document money laundering, terrorist financing, and other illicit finance risks through risk assessment processes; and (ii) mitigate those risks consistent with those assessments.

The risk assessment processes must evaluate risks arising from the institution’s products and services, distribution channels, customers, intermediaries, and geographic exposure, and must be updated promptly when the institution knows or has reason to know that its risk profile has significantly changed (for example, due to new products, markets, or customer types).

Incorporation of FinCEN AML/CFT Priorities into Risk Assessments

The Anti-Money Laundering Act of 2020 requires FinCEN to issue governmentwide AML/CFT priorities and to incorporate them into AML/CFT program requirements. Under the NPRM, covered institutions would be required to review FinCEN’s AML/CFT priorities and, as appropriate, incorporate them into their risk assessment processes. Institutions are expected to evaluate the relevance of each priority to their business and risk profile and to be able to explain why certain priorities are or are not material. FinCEN cautions that superficial treatment of the priorities will not satisfy supervisory expectations.

Explicit Risk-Based Resource Allocation

The proposal embeds the AML Act’s expectation that AML/CFT programs be risk-based, including by directing more attention and resources toward higher-risk customers and activities, consistent with the institution’s risk profile, rather than toward lower-risk customers and activities. FinCEN intends this formulation to give institutions greater comfort in reallocating resources away from lower-risk areas without fear that such reallocation, by itself, will be cited adversely, so long as it is grounded in reasonably designed risk assessments and controls.

US-Based AML/CFT Officer and Standardized Governance Requirements

Consistent with the AML Act, each covered institution would be required to designate an AML/CFT officer who is located in the U.S., accessible to, and subject to oversight and supervision by FinCEN and, where applicable, the appropriate federal functional regulator or self-regulatory organization. That individual must be responsible for establishing and implementing the AML/CFT program and coordinating and monitoring day-to-day compliance. The NPRM also standardizes governance expectations by requiring that the written AML/CFT program be approved by the board of directors, an equivalent governing body, or appropriate senior management, and be made available to FinCEN or its designee upon request.

Harmonized Independent Testing and Training Requirements

The NPRM aims to harmonize and clarify the existing “independent audit” pillar by requiring independent AML/CFT program testing, conducted either by internal personnel who are independent of the AML/CFT function and relevant business lines or by a qualified external party. Testing is expected to be risk based and focused on program effectiveness, not merely technical completeness. The rule also seeks to standardize the requirement for an ongoing employee training program across all covered institution types, with content and frequency calibrated to the institution’s risk profile and personnel roles.

Bank-Specific Supervision and Enforcement Framework

For banks, the proposal would create a new supervisory and enforcement framework. Where a bank has properly established an AML/CFT program under the rule, FinCEN and the federal banking agencies, when acting under FinCEN’s delegated authority, would not base an AML/CFT enforcement action or “significant AML/CFT supervisory action” solely on the program rule absent a significant or systemic failure to implement the program — that is, a failure to implement the program in all material respects. The NPRM also would require the federal banking agencies to consult with FinCEN before initiating such significant AML/CFT supervisory actions, and would direct FinCEN to consider, among other statutory factors, a bank’s contributions to AML/CFT priorities and responsible use of innovative tools (such as advanced analytics and artificial intelligence) in assessing program effectiveness and potential enforcement.

Practical Considerations for Financial Institutions

Even before the rule is finalized, covered institutions should begin assessing their existing AML/CFT programs against the proposed framework. Key initial steps include:

• Mapping current policies and controls to the new establishment criteria (risk assessments, internal controls, independent testing, AML/CFT officer, training, and CDD where applicable);  
• Evaluating whether risk assessment processes meaningfully incorporate FinCEN’s AML/CFT priorities;  
• Documenting how AML/CFT resources are currently allocated across higher- and lower-risk areas;  
• Confirming governance structures and the location and authority of the AML/CFT officer align with the proposal;  
• Reviewing the independence and focus of AML/CFT testing; and  
• Considering where technology and innovation could enhance program effectiveness and efficiency.  

Given the breadth and significance of the proposed changes — and the explicit shift toward an effectiveness-and risk-based paradigm — many institutions should consider submitting comments, individually or through industry associations, to help shape the contours of the final rule, including definitions of “significant or systemic failure” to implement, expectations for risk assessment updates, and the treatment of model risk management and advanced analytics.